Posted
by
Soulskill
on Friday June 29, 2012 @06:31PM
from the sharing-is-caring dept.

sl4shd0rk writes "A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server. Once installed, the virus opens a backdoor allowing the attacker on the C+C server to run commands on the compromised machine. Shortly after Kaspersky's announcement, AlienVault Labs claims to have found a similar version of the Mac malware which infects Windows machines. The Windows version appears to be a variant of the Gh0st RAT malware used last month in targeted attacks against Central Tibetan Administration. Both viruses are suspected of being tools in a campaign to attack Uyghur Activists."

I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

I know right?
I mean, since when did a pirate never sail the seas drinking rum and killing people for their loot? I mean they actually worked for it!
But now a days, you got these kids sitting at home, browsing sites, looking for software that is outside their financial reach so they can learn it to get a good job.
What a bunch of ass grabbers!

But now a days, you got these kids sitting at home, browsing sites, looking for software that is outside their financial reach so they can learn it to get a good job.

If you sit at home the only thing within reach would be the keyboard. Seriously, I thought the two M's (including some P) was the stuff most kids got off the Net. That's why you get all these BT lawsuits from the entertainment industry, but few from the BSA, which prefers to target people who don't just sit at home all day.

A friend of mine was doing an internship in Washington DC, he saw on a schedule a congressional briefing thing about piracy. He went assuming it was about napster etc. It was actually about Somalia. He walked away caring about online piracy a little less.

Or popular use of the word becoming a generalization for a class of items, as opposed to a specific item in that class. In other words: the average Joe might care to know what malware is (and use "virus" to describe it), but doesn't care enough to devote brain cells in keeping virus / trojan / backdoor etc apart.

the/. editor is not doing his job, which makes the site a worse place to visit.

You must be new here.

I can expect, and even respect, a healthy amount of slack at a site where the users tend to take things way too seriously. But at some point the untended community garden turns into an abandoned lot, and it's feeling a lot more like that these days.

Oh please! You say trojan to the average user and the want to know why their PC needs a rubber, you say backdoor and they start looking for that rubber for their PC and you say rootkit you get a deer in the headlights look.

Frankly, and I'm sure i'll get hate for saying this but ask me if I care, truth is truth, is that most of those I've seen that really REALLY care about that is because they are "true believers" who want to use it to say "But it doesn't count!" like an 8 year old demanding a do over on the

The only way to patch the "bug" of stupid users being able to install malware on their computers is to prohibit users from installing arbitrary software on their computers, which would be a much bigger bug than any social exploit vulnerability.

If the system didn't get infected by exploiting some weakness of the system, but rather by exploiting a weakness of its user, then the system is not at fault. THIS is why people get defensive. Much like making DRM work, it is impossibly to completely patch the social-

That wasn't always the case with Windows, though; with Outlook and IE, you could at one point infect your system just by reading an email or visiting a website. I still have completely nontechnical clients to this day who are under the impression that it is not safe to visit a suspicious site or read a suspicious email because you might get a virus, so this was a common enough problem to get into even the densest parts of the popular consciousness.

The first named virus was Elk Cloner for the Apple II. The Apple II was not a Mac.
It's not like it's hard to look up the facts and get them right. http://apple2history.org/history/ah23/ [apple2history.org]

I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

Get over it. The real question is: Do you know what they mean? Methinks you do know what it means. It's like the word "organic" and "chemical" at your local Whole Foods. I mean, wtf, if you dump a fertilizer with anything derived from petroleum (a mix of organic compounds) in it, it's not organic, but if you dump water on it (an inorganic chemical, gasp!) then it can still be called organic. The real question is, if you see the word, are you able to determine from context what it means? In the case

I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

Once installed, the virus opens a backdoor allowing the attacker on the...

Right, it's not a virus and it certainly doesn't open any backdoor, either, unless the malware authors also work for Apple and slipped that one by the QA and security audit guys during the last OS X build. This is misrepresenting what it's probably actually doing, merely initiating a connection to a Chinese server. But using the term "backdoor" makes the summary author sound 1337 and the attackers sound even more nefarious, even if it isn't even close to an accurate description of reality. The OP has done m

Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server.

Not only does it misuse the term "virus", as you mentioned, but it also misuses the term "encrypted". The correct term here is "obfuscated". The obfuscation code might happen to contain something that looks very similar to AES, but it isn't encryption (and it certainly isn't AES) if the "key" can just be recovered from the executable.

I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

Not lazy, just sensational journalism. Exaggerate in the summary to get more people to read it because of how surprising it would be if it were actually true

Either the/. editors are hopping on the sensationalism bandwagon, or they're lazy. Any nerd that sti

No it doesn't, but hepatitis isn't a virus anyway. Hepatitis can be caused by a number of different pathogens and viruses are only one kind. Off the top of my head, Listeria can cause it and so can Cryptosporidium (bacteria and protozoa respectively). Of course this is all academic since your analogy was doomed from the start. You'd have had better luck if you compared it to kissing a person with a cold sore (Herpes) on their lips.

But it's an interesting term to use in this discussion because the lay definition is exactly that - hepatitis as a viral infection. Even if it's not the most common form of hepatitis (it would be alcoholic hepatitis in the US at least), it's the one that most people think of.

That isn't to excuse Slashdot editors or submitters for not making that distinction. Somebody needs to wave the pedantic flag now and again.

True enough, most people do think viral when hepatitis is mentioned, but you wouldn't get away with that kind of imprecision in a professional medical forum. I suppose how much a similar terminological distinction matters depends on how close you consider/. is to being a professional tech forum...

I use Little Snitch [obdev.at] to watch for such things. Unfortunately, with modern software bits and pieces are always calling home. I spend a few hours a week looking up stuff to find out who is doing what.

Pretty much any software with activation. Adobe Creative Suite, Maxon Cinema 4D are two that I can think of off the top of my head. Typically it's when they're first run, and when checking for updates. It's not some spontaneous dialing that happens randomly (that would require a service).

The problem here is that OSX inherently lacks software that raises flags when 'the incident' happens, or at least it seams to be that way.. Does the victim has any built-in protection to deal with such a malware infection?

OS X does not have a malware scanner. It has a list of malicious checksums and only checks files saved through certain applications. Download a malicious file through a torrent for example, and it won't raise a flag.

The problem here is that OSX inherently lacks software that raises flags when 'the incident' happens, or at least it seams to be that way.. Does the victim has any built-in protection to deal with such a malware infection?

Yes, there's built in protection against selected malwares, come mountain lion, unsigned, or signed-with-revoked-certificates binaries will not run by default either.

Does the OS X possess mechanisms to monitor or block outgoing traffic?

Yes, and they're turned on by default.

Does this system even has a proper driver structure to allow insertion of your monitoring pass-through driver into the TCP or disk driver stack?

You're more than welcome to get virus scanners or anything that windows has and it has a firewall. But it already asks you to make sure you're certain you want to run something downloaded and if someone is willing to ignore that and still run a application that someone stranger sent to them then there isn't much hope for them. Idiots will disable anything if they want to run something.

But it already asks you to make sure you're certain you want to run something downloaded and if someone is willing to ignore that and still run a application that someone stranger sent to them then there isn't much hope for them. Idiots will disable anything if they want to run something.

Which is precisely how the vast majority of Windows infections also occur.

It probably is now but between autoplay, outlook's preview pane and numerous other little friendly helpers in Windows up until recently I'd argue that's probably not the case and given that IE still has more exploits than the others followed by Chrome that does mean running either of the top two browsers leaves you vulnerable without intentionally doing something. Unless of course you consider just being on the internet makes it their fault.

That they ever said it is a problem. Now it's in all the fanboi heads and will never go away. Now, I'm not calling every Mac user a fanboi, I'm a Mac user, myself (also Linux and Windows, I use the right tool for the job and none of them are good at everythint I do), so that would be ludircrous. It also pisses me off, as a Mac user, when I'm downmodded for simply voicing my dissent with some of the decisions Apple has made in the age of Lion; some people do truly think that Apple can do now wrong and that,

I was refering to the user, not the system. Lion's a consumer OS with a focus on consumption of media and apps, rather than a general purpose OS, like Snow Leopard. Mountain Lion is only a step further in this direction.

Maybe you noticed it this week (or wired did) but the.au version at least has been saying for a very long time now that they don't get PC viruses. It has been a great point of hilarity in my office for quite some time.

Speaking perfectly normally: they don't. Trojans have existed on Unix variants for decades, but that doesn't mean that the Unix community has been the cesspool of malware that Windows has been. Same for Apple.

If Nintendo ran ads touting the lack of a Red Ring of Death on the Wii, would that equate to saying that the Wii has had zero issues with malfunctioning hardware?

Antivirus software is the wrong approach. To be frank as a security profession AV software alone is worth nothing. Its reactive in terms of signatures and Flame pretty much proves the heuristics don't work. Spend just a few moments slightly modifying any of the common packers so its not quite strait off the net and you still get meterpreter past all the majors.

AV is there to hopefully with lots of dumb luck catch you if your dropped the ball some place else.

I've heard the term before, but not for a while. When I used to hear it, it was a dig at the intelligence of GUI users, as opposed to people who used the CLI. Since the GUI's become so dominant, I haven't heard it nearly so much. Looks like the OP's a recessive.

It's hard to blame Mac when you open an infected file. People have been unwittingly installing Malware and other infecting programs onto Macs for years. This is very different from one that propagates without the help of the user. It's a non story.

Well, except when this happens in the PC world at least some subset of folks do blame Microsoft for it, and loudly.

There was a time when Microsoft WAS at fault - back in the days of Slammer, for example. But most of the malware that goes around anymore relies on social engineering to propagate, because Windows and OS X are really pretty secure.

Microsoft *was* at fault at times like when Outlook express' preview pane ran anything in the preview pane which was on by default so you could get infected by virture of a new email just coming in even if you'd be smart enough not to open it. Which is definitely different from a Mac asking you to be sure and you open it anyway.

Microsoft *was* at fault at times like when Outlook express' preview pane ran anything in the preview pane which was on by default so you could get infected by virture of a new email just coming in even if you'd be smart enough not to open it. Which is definitely different from a Mac asking you to be sure and you open it anyway.

Except remember how Safari had a similar issue several years ago? It could automatically launch stuff that was downloaded just by virtue of you hitting the wrong page? That's why you get asked now - that was part of the fix Apple added to solve the problem.

I've been a Mac user since 2003. I like the OS, and I think it's had a pretty good security track record overall... but Apple's definitely made a few missteps along the way. Nothing of the sheer magnitude of Slammer or Blaster - the only remote OS X exploit I can remember required the attacker to be on the same subnet (think it was an AFS exploit, but I might be mis-remembering).

I realize it can be bad form to reply to oneself, but I wanted to correct one thing - the remote exploit I was thinking of was the 2003 local subnet DHCP exploit [slashdot.org]. That was a remote root exploit that required the attacker to be on the same subnet.

The AFP exploit was from 2010 [cqure.net], and could provide remote access to a user's home directory. Still bad, but not at the same level of bad.

Except remember how Safari had a similar issue several years ago? It could automatically launch stuff that was downloaded just by virtue of you hitting the wrong page?

That particular issue was related to the definition of 'safe' files. By default, every web browser runs some kinds of files, in particular HTML and (usually) JavaScript and images. If you have a vulnerability in your png renderer or HTML parser, for example, then opening any web page will exploit the browser. The only difference with Safari was that PDF was included in the list of files that are safe. The same applies to most browsers with the Adobe plugin installed. The Adobe plugin has also had a number of vulnerabilities in recent years.

The problem here wasn't running code by default, it was loading untrusted data through a large body of complex code outside a sandbox. Chromium and Safari (and, I think, IE9) now open everything that's downloaded from an untrusted source and loaded automatically in an environment with reduced privilege. The Chromium sandbox is a bit better (although it varies a lot depending on the platform: on Windows it's pretty poor) and runs at a finer granularity, so with Safari an exploit may still give an attacker access to state held by other tabs (the same applies to Chromium if you have more than some threshold number of tabs open - 20, I believe).

this isn't a virus, it doesn't replicate. It's an email trojan. It's not a Mac or PC exploit, because it exploits the person not the machine. And it's got a very specific target. Thanks for the warning, I won't, and don't click on attachments anyway.

I know Slashdot editors are famously lazy ('sup, guys!) but why does the summary they posted say "The attachment tricks the Mac user into installing..." when TFA* clearly says "the [attack] described here relies on social engineering to get the user to run the backdoor"? You know, just like every single other Trojan out there?!?** The attachment itself is totally benign until someone clicks on it several times. (Even if you view the message with webmail with Safari's "Open 'safe' files after downloading" in its (admittedly brain-dead) default "checked" position***, you still have to click on the attachment link in your webmail and then double-click the visible file to run it.) The only way this actually happens is if someone reads the email and takes a few steps on their own. As always, the attachment itself does nothing.****

Slashdot has been a techy news site for a decade and a half now. You'd think errors as blatant as this would get caught by the editors, even with their usual lack of checking.

You know what would be an awesome site? Exactly what Slashdot is, but with better editors. (And maybe lay off the JavaScript some.)

Anyway: sky is blue, water is wet, sun rises in the east, and all computers--by definition--are vulnerable to trojans. Film at 11.

And by the way, WTF is "point-and-grunt"? Does that imply that users are dumbly clicking on things? If so, doesn't that also imply that the users just might be the problem? Trojans are trivially easy to write. Here's one in one line:

So there's a Windows version of it that targets Tibetan activists but they bothered to make a mac version of it to...in case Tibetan activists had macs? WHAT?! I don't think they have that kind of money. Something doesn't quite add up there. Whatever, I don't care as long as it knock Apple down a peg again. That "we're magically immune to viruses" crap they finally removed from their website was about 10 years overdue.

No most users feel malware is malware outside of slashdot and saying its not a virus as a way to build your ego is stupid.

The GP pointed out that a trojan horse is not a virus. Trojans need user interaction while viruses are self-propagating. Saying that most users can't tell the difference between them (as you appear to be insinuating) is just plain silly.

Its like saying she is clean! Then you contract hepatitus. But she says she is virus free with a smile and goes on how clean she is.

The vast majority of any OS security exploits are caused by clueless users who click on any link in an email and of course application developers who don't know what the hell they are doing. Then there are the folks who consider themselves IT experts who modify security settings incorrectly, firewall configurations incorrectly. and user and program permission. Just running a 3rd party security scan on your code does not mean it is 100% secure. This is especially prevalent in the business world were the dev

More accurately, OS X does get and can spread Windows viruses to other Macs and Windows machines... however, OS X is unaffected by them. Virus is yet another class of software that, these days, still only works on Windows thanks to Microsoft listening to their insane user-base that keeps insisting it needs backwards compatibility to run outmoded, outdated 20yr old software that in reality no one still uses... though they still insist that they do and somehow haven't yet heard of this new fangled trend in co

This story isn't covering a virus either. It is a malicious application but one that relies on an idiot running an application from a stranger and ignoring the warning suggesting that maybe you shouldn't open it.

This story isn't covering a virus either. It is a malicious application but one that relies on an idiot running an application from a stranger and ignoring the warning suggesting that maybe you shouldn't open it.

meh, by that logic HIV isn't a virus because it relies on idiots doing things with strangers and ignoring all the warnings suggesting that maybe they shouldn't be doing those things.

I think relying on human stupidity to allow malware deliver its payload into the sweet elevated privileged levels it n

Wake me up when they find something that can infect a Mac connected to the internet when no is one using it. You know, kind of like "install windows, connect to internet, pwned in 15 minutes"?

Anyone can do a user-mode trojan that says "PLEEZE INSTAWL ME! I'M A UPGRAYD!"

That was only an issue with Pre- WindowsXP-SP2 computers. SP2 was released 8 years ago. With SP2 Windows firewall came enabled by default, which protected unpatched services (like SMB) from being connected directly to the internet.

I never believed that anyway. What IS interesting, however, is that every AV vendor now actively prevents analysis of how many virus infections exits per platform, which is actually a very significant bit of data.

Windows malware numbers in the millions (30M, last time I was able to get a figure), whereas OSX malware numbers somewhere in the 40K by now. That's a shade over 1% of the exposure that Windows platforms have - which still makes it a heck of a lot less risky.